The company today admitted that at some point in the past, an unauthorized party added code to its ScreenOS firmware used by NetScreen devices, which could allow attackers to gain administrative access to devices as well as decrypt VPN connections.

It’s a huge admission, even if Juniper is trying to downplay it — though it’s impressive it disclosed it at all. The company didn’t say whether it knows who the unauthorized party is, or if it was an internal security failure rather than a breach of the company itself.

A Juniper NetScreen 5200 device

The fact that Juniper doesn’t know — or won’t admit — when the software was added or by whom is cause for concern, as it may have existed for years before detection.

Considering the NSA’s active spy programs, it’s easy to connect the dots between this attack and the spy agency’s FEEDTROUGH program, which “burrows into Juniper firewalls and makes it possible to smuggle other NSA programs” into a network.

Juniper is remaining tight-lipped about the attack, though its knowledgebase article admits that “there is no way to detect that this vulnerability was exploited” and that it can lead to “complete compromise” of the affected system.

The company has released a patch for the vulnerability for NetScreen devices, but given there’s no way to detect the attack and Juniper only just realized this code exists, it’s a big ask for customers to trust that there isn’t other code it doesn’t know about as well.